 |
Index for
Section 2 |
|
 |
Alphabetical
listing for A |
|
 |
Bottom of
page |
|
audcntl(2)
NAME
audcntl - audit control
SYNOPSIS
#include <sys/audit.h>
audcntl(
int request,
char *argp,
int len,
int flag,
uid_t audit_id,
pid_t pid );
DESCRIPTION
The audcntl system call provides control over flags offered by the audit
subsystem. All requests, except where otherwise noted, are privileged. The
following list describes the requests:
GET_SYS_AMASK and SET_SYS_AMASK
The system auditmask (along with the process auditmask) determines
which system events are logged. GET_SYS_AMASK copies the system
auditmask into a buffer pointed to by argp. SET_SYS_AMASK copies from
a buffer pointed to by argp into the system auditmask. Each of these
operations returns the number of bytes transferred between the user's
buffer and the auditmask. The len argument is the size of the user's
buffer. The amount of data moved between the auditmask and the user's
buffer is the smaller of the auditmask size and the buffer size.
GET_TRUSTED_AMASK and SET_TRUSTED_AMASK
The trusted auditmask (along with the process auditmask) determines
which trusted events are logged. GET_TRUSTED_AMASK copies the trusted
auditmask into a buffer pointed to by argp. SET_TRUSTED_AMASK copies
from a buffer pointed to by argp into the trusted auditmask. Each of
these operations returns the number of bytes transferred between the
user's buffer and the auditmask. The len argument is the size of the
user's buffer. The amount of data moved between the auditmask and the
user's buffer is the smaller of the auditmask size and the buffer size.
GET_PROC_AMASK and SET_PROC_AMASK
The process auditmask determines (along with the system masks) which
system events and trusted events are logged for the current process.
GET_PROC_AMASK copies the process auditmask into a buffer pointed to by
argp. The size of the process auditmask is AUDIT_MASK_LEN, and
contains a syscall mask followed by a trusted event mask.
SET_PROC_AMASK copies the values from a buffer pointed to by argp into
the process auditmask. Each of these operations returns the number of
bytes transferred between the user's buffer and the auditmask. Len is
the size of the user's buffer. The amount of data moved between the
auditmask and the user's buffer is the smaller of the auditmask size
and the buffer size.
GET_PROC_ACNTL and SET_PROC_ACNTL
GET_PROC_ACNTL returns the audit control flags (the audcntl flag) of
the current process (see audit.h). Audit control flags determine
whether auditing for the process is on or off, and if on, how the
system and process auditmask are combined. A value of AUDIT_OFF
indicates audit is off for that process. A value of AUDIT_AND or
AUDIT_OR indicates that a logical AND or a logical OR of the process
and the system auditmasks has been performed. A value of AUDIT_USR
indicates the process auditmask is used for that process; the system
auditmask is ignored. SET_PROC_ACNTL assigns the values of the audit
control flags from flag and returns the previous values of the audit
control flags.
GET_AUDSWITCH and SET_AUDSWITCH
GET_AUDSWITCH returns the value of the system audit switch. A return
value of 1 indicates auditing is turned on. A value of zero indicates
auditing is turned off. SET_AUDSWITCH assigns the value of flag to the
system audit switch and returns the previous audit switch value. A
value of 1 turns auditing on. A value of zero turns auditing off.
FLUSH_AUD_BUF
Flushes the kernel audit buffer to /dev/audit. In a cluster, /dev/audit
is a CDSL (context dependent symbolic link).
GETPAID and SETPAID
Not supported.
GET_AUDSTYLE and SET_AUDSTYLE
The system auditing style supports various flags to control how much
additional information is recorded in some audited operations.
GET_AUDSTYLE returns the current value of the system audstyle flag.
SET_AUDSTYLE sets the system audstyle flag to the value of flag, and
returns the previous value of the audstyle flag. A flag value of
AUD_EXEC_ARGP enables the auditing of the argument list to the exec
system calls. A flag value of AUD_EXEC_ENVP enables the auditing of the
environment strings to the exec system calls. AUD_LOGIN_UNAME enables
the auditing of the username in records for failed login attempts. A
logical OR can be performed on flag values.
GET_SITEMASK and SET_SITEMASK
The site mask determines which site-defined events are logged.
GET_SITEMASK copies the site mask into a buffer pointed at by argp.
SET_SITEMASK copies from a buffer pointed at by argp into the site
mask. Each of these operations returns the number of bytes transferred
between the user's buffer and the site mask. The len argument is the
size of the user's buffer. The amount of data moved between the site
mask and the user's buffer is the smaller of the site mask size and the
buffer size.
UPDEVENTS
Update the auditmask flag, the audcntl flag, or both for the specified
process or set of processes. The argp parameter contains the new
auditmask; len is the size of the user's buffer. A len value of 0 will
not modify the target process' auditmask. The flag parameter, if not
-1, contains the new audcntl flag. The process ID (pid), if not 0,
specifies the target process. The audit_id parameter, if not
AUID_INVAL, specifies the set of all processes with that audit_id.
GET_HABITAT_EVENT and SET_HABITAT_EVENT
GET_HABITAT_EVENT gets the "habitat/system call" name and auditmask
bits for a specified system call number. The flag parameter is the
system call number. The argp parameter points to a user buffer of size
len into which the "habitat/system call" name is placed. The return
value is the auditmask bits, which indicate whether successful
occurrences, failed occurrences, or both of this system call are
logged. SET_HABITAT_EVENT sets the auditmask bits for the specified
"habitat/system call" name. The argp parameter points to a user buffer
of size len which specifies the habitat name and system call name (for
example, SystemV/unlink). The flag parameter is the new setting for the
auditmask bits for this system call. Note that these flags apply only
to system calls in the alternate habitats.
GET_NSITEVENTS
Returns the number of site events currently allowed on the system. This
number is determined by the sysconfig sec parameter audit_site_events.
GET_AUDSIZE
Returns the base size of an audit data buffer. This number is
determined by the sysconfig sec parameter audit_buffer_size.
GET_OBJAUDBIT and SET_OBJAUDBIT
Gets or sets an object's selection and deselection flags. The object
is named by argp. For SET_OBJAUDBIT, the flag argument specifies
AUD_SELECT and/or AUD_DESELECT (see the "<sys/audit.h>" file).
GET_SUBJ_AMASK
Copies the process auditmask for the process specified by the pid
argument into a buffer pointed to by argp. The len argument is the size
of the user's buffer. The amount of data moved between the auditmask
and the user's buffer is the smaller of the auditmask size and the
buffer size. This operation returns the number of bytes copied out to
the user buffer.
GET_SUBJ_ACNTL
Returns the audit control flags (the audcntl flag) of the process
specified by the pid parameter.
RETURN VALUES
The values returned for successful calls can be found under the description
of the specific call request.
If a call fails, a -1 is returned.
ERRORS
The audcntl call fails under the following conditions:
[EFAULT]
The argp argument contains an invalid address.
[EACCES]
The user does not have the privileges needed to perform this operation.
[EINVAL]
The value of the len, request, or audit_id argument is invalid.
[ENOMEM]
Insufficient memory to accommodate site mask or property list
operation.
[ENOSYS]
Indicates an attempt to use a system call that is not configured.
[EROFS]
The filesystem is read-only; property lists cannot be set.
[EIO]
The argp argument contains an invalid address.
[ESRCH]
The specified pid does not exist.
[[E2BIG]]
With GET_OBJAUDBIT specified, indicates an invalid property list entry.
SEE ALSO
Commands: auditconfig(8), dxaudit(8X)
Security
|
Index for
Section 2 |
|
|
Alphabetical
listing for A |
|
 |
Top of
page |
|